In the spirit of trust, transparency and open source collaboration I am publishing the setup, scripts and configuration details on github: https://github.com/pysiak/dnscrypt.pl

Infrastructure and setup

Your queries arrive at one of the 3 rust-based encrypted-dns-server instances. All instances share a no log setup and default cache settings for 100k entries. The only differ in blocklists applied:

  • dnscrypt.pl is poz1.dnscrypt.pl:2053 has 0 blocklists
  • dnscrypt.pl-guardian is poz1.dnscrypt.pl:2054 has 6 sources of blocklists

They share the same whitelist and unbound configuration: https://github.com/pysiak/dnscrypt.pl/tree/main/configs

If your query is not satisfied by the cache at this level it is forwarded to a locally running a DNSSEC-enabled unbound instance which has its own cache and if the query is not satisfied, it is being resolved from the root name servers. No forwarding upstream.

All encrypted-dns-server instances produce metrics which are being pulled from a prometheus instance and grafana server is pulling from prometheues.

The manual blocks include such stuff as: